Security announce March 2024

Dear users,

Two serious security vulnerabilities were recently found in the PHP interpreter. They allow the bypassing of cookie security and the validation of incorrect passwords.

• Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix). (CVE-2024-2756)
• Fixed bug GHSA-h746-cjrr-wfmr (password_verify can erroneously return true, opening ATO risk). (CVE-2024-3096)

The PHP versions affected are:

• 7.4
• 8.0
• 8.1.0 to 8.1.27
• 8.2.0 to 8.2.17
• 8.3.0 to 8.3.5

We recommend that you update your installation to one of these versions as soon as possible:

• 7.4.33-1+deb11u5 (debian only) (SECURITY - DSA 5660-1 - php7.4 security update on Debian security list)
• 8.1.28 (changelog)
• 8.2.18 (changelog)
• 8.3.6 (changelog)

WIKINDX is indirectly affected by these flaws. However, if your WIKINDX installation is not exposed to the Internet, the risk is less.

--
Stéphane Aulery for WIKINDX Team